Skillv0.1.0

ClawScan security

Juso Address Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 24, 2026, 12:09 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This is a small CLI wrapper that calls the official juso.go.kr APIs and behaves like its README/SKILL.md describe, but the package metadata omits the environment variables and CLI dependencies the scripts actually require — verify keys and dependencies before installing.
Guidance: This skill appears to be a straightforward wrapper for the official juso.go.kr APIs and is coherent with its documentation. Before installing: 1) Verify you have and will provide the required API keys (JUSO_CONFM_KEY for search/eng, JUSO_CONFM_KEY_COORD for coord) and only grant the grade-B coord key when you need coordinates. 2) Ensure the agent environment has curl, jq, bash (and python3 if you plan to use any helper tooling) — the registry metadata did not declare these dependencies. 3) Inspect the scripts locally (they are short and readable) and confirm they only call https://business.juso.go.kr endpoints. 4) Store API keys securely (do not embed them in public repos or share them). If you need absolute assurance, ask the maintainer to update the skill registry metadata to list the required env vars and binaries so the harness can surface missing prerequisites automatically.

Review Dimensions

Purpose & Capability: noteThe name/description and the scripts align: they call juso.go.kr endpoints to search/resolve Korean road addresses. However, the registry metadata claims no required environment variables or binaries while the SKILL.md and scripts require JUSO_CONFM_KEY, JUSO_CONFM_KEY_COORD and common CLI tools (curl, jq, bash, python3). This is an inconsistency in the declared requirements (likely packaging/metadata oversight) but not evidence of malicious behavior.
Instruction Scope: okSKILL.md and the scripts are narrowly scoped: they only build queries and call juso.go.kr endpoints, parse JSON with jq, and emit JSONL. The instructions do not read unrelated system files, do not call external endpoints other than the government API, and do not exfiltrate other data.
Install Mechanism: okNo install spec is provided (instruction-only wrapper with shipped scripts). That keeps install risk low; the repository contains simple shell scripts and no downloads from third-party URLs or extract operations.
Credentials: noteThe environment variables the scripts require (JUSO_CONFM_KEY and JUSO_CONFM_KEY_COORD) are appropriate and necessary for the stated functionality. The mismatch is that the registry metadata lists no required env vars — the skill will fail at runtime without those keys. There are no requests for unrelated secrets or excessive credentials.
Persistence & Privilege: okThe skill is not marked always:true, does not request elevated or persistent system privileges, and does not modify other skills or system-wide configs. Agent autonomous invocation is allowed (default) but is not combined with other concerning indicators.